What to do about the impending shadow supply chain

When data breaches make headlines, it’s often difficult to know whether or not your organization sits in the blast radius.

This article was originally published in SC Magazine.

What can we learn from recent supply chain attacks at MailChimp, Okta, and others?

For starters, security pros need to have an answer ready when the CEO walks in and asks if the company uses Okta or any other product that may have been recently breached.

Is the security team ready to respond and have answers and an action plan ready? Or would everyone start making time in their day to investigate what just happened?

When data breaches make headlines, it’s often difficult to know whether or not your organization sits in the blast radius. That’s because so much of today’s digital supply chain gets defined by employees and teams across the organization adopting new cloud and SaaS services – whether the security team knows about it or not.

This can lead to a shadow supply chain – a complex web of unknown user accounts, services, resources, data, and permissions scattered across the internet. Shadow supply chains can change frequently as employees easily adopt and string together no-code services, creating a nightmare for security teams to manage and an ideal scenario for adversaries to exploit.

Take for example the recent MailChimp data breach, in which an attacker successfully exploited MailChimp employees to gain access to MailChimp customer data and APIs. The attacker was then able to send out clever phishing emails to the end customers of the companies targeted in the MailChimp breach, resulting in potential direct financial loss to those end customers.

In this scenario, a security pro could determine fairly quickly if MailChimp were an approved and sanctioned supplier to the organization, and if so, the company would expect to receive a breach notification from MailChimp if it was impacted. However, it’s much more difficult and time-consuming to determine if any company employees were using services that use MailChimp to send email to their customers. This could put employees at potential risk of receiving phishing emails from seemingly trusted providers aimed at stealing their user credentials.

It’s worth noting that this recent MailChimp attack primarily targeted cryptocurrency and financial services companies and that MailChimp responded swiftly to revoke API access on compromised accounts. Still, this example underscores the complexity and scope of modern supply chain attacks.

How long would it take the team to investigate this type of breach and the potential impact to the organization? For most security leaders it would just take too much time given the nature of today’s over-extended security teams as well as the growing swell of these types of attacks. In fact, Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.

Shed light on the company's shadow supply chain

IT and security leaders urgently need better approaches to shed light on shadow supply chains and mitigate the risk of supply chain attacks. It’s no longer safe to assume that they can transfer such risk to the third-, fourth-, or even fifth-party provider that suffered the initial attack. To end your customers, the impact of a breach feels the same, no matter where it originated.

To effectively shed light on a shadow supply chain, start at the source – the company’s employees. As employees introduce new IT to the organization, share sensitive assets across the internet, and connect all kinds of third-parties services, it’s absolutely critical to make sure they are empowered to do so in highly secure and highly visible ways.

In today’s highly distributed and decentralized environments, it’s no longer feasible or even productive to “block and lock” every application or service that an employee wants to use to get work done. IT and security teams simply do not have the time or resources to scale this old approach, and savvy employees will find a workaround to complete their task at hand. Instead, look for ways to guide employees towards smarter decisions with in-the-moment security context and prompts that make it easier for them to introduce new suppliers and technologies in accordance with your security and governance policies.

Mitigate supply chain risks through collective defense

Recent headline-grabbing supply chain attacks and other cyberattacks have a common denominator: they increasingly target employees as the initial attack vector. Using social engineering tactics like phishing and bribery, attackers are gaining user credentials, which they use to move covertly through the supply chain towards higher-value targets. This was the case in recent attacks levied by the threat group Lapsus$ that impacted Okta, Microsoft, and others.

In its security blog post about the threat group, Microsoft noted that it had found instances where the Lapsus$ group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners).

Unfortunately, it’s a signal of a larger, looming trend. According to the 2021 Verizon DBIR, 85% of all data breaches today are caused by human interaction. As adversaries become more sophisticated in exploiting human behavior to launch attacks, cybersecurity teams must ratchet up efforts to build a culture of security awareness within their organizations. As the numbers show, traditional approaches like phishing simulations and training programs simply aren’t enough.

The industry as a whole must do more to address the human element of cybersecurity to begin to combat this trend. As recent attacks have shown, digital supply chains are only as secure as their weakest link. It will take broad collective action for collective defense.

Learn how Nudge Security can help mitigate SaaS supply chain risk.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors